After receiving the password reset email and clicking the "Click Here" hyperlink, user is returned to the "Expired or Forgotten Password" page instead of arriving at the page to enter the new password.
The link in the email contains a one-time token meaning that if anyone goes to that specific URL the link will no longer work and the user is redirected to the password reset request page instead. On investigating this issue, we have found that McAfee Antivirus contains a default setting called ClickProtect which validates the URL but at the same time expends the one-time token. Other antivirus software may have a similar feature.
Solving the Problem with VON's Assistance:
The simplest solution is to request a manual password reset from the Vermont Oxford Network. Contact the support team (firstname.lastname@example.org or 802.488.5333) for assistance. A temporary password can be issued manually by our staff. This password should be used to login and update your password as soon as it is received and will expire in 24 hours.
A More Permanent Solution?
Per McAfee's own discussion thread on the subject there is no global allow-list to add our domain and the Sender Allow list does not affect ClickProtect. The only solution they offer is to disable ClickProtect. Our understanding is that McAfee intends to address this issue in a future release, but that update will be on that vendor's timeline.
Other Possible Causes:
A similar problem has been observed by users of Internet Explorer 9. The recommended solution is to use an up-to-date version of an alternate browser such as Chrome or Firefox. Support for Internet Explorer 9 has been deprecated by Microsoft and only applies to a few older operating systems such as Windows Vista or Windows Server 2008.